The rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), Jan Philipp Albrecht MEP, has recently presented his draft report (the “Report”) on the proposed amendments to the European Commission’s proposed General Data Protection Regulation (the “Regulation”) to the LIBE Committee.
Mr Albrecht’s Report will form the basis for further LIBE committee discussions before being voted on by the European Parliament. The changes suggested in the Report include: changes to the rules on how to process personal data for historical/statistical purposes, limiting the “legitimate interest” exception as a basis for processing personal data, derogations on the use of social security data, broadening the scope of national derogations to safeguard the freedom of expression, and an emphasis on data protection by design and default. In many cases, the changes suggested by the Report go further than the European Commission’s proposals, for example, in seeking to add further restrictions to the manner in which certain personal data can be processed.
The Report is available here.
The Regulation itself is currently in discussion in the Council of Ministers and the European Parliament. The deadline for tabling amendments to the Regulation passed in December 2012, and discussions of the amendments, including the Report, are taking place in January and February 2013. The Regulation is also the subject of two recent opinions published by the Article 29 Data Protection Working Party and has attracted much commentary from practitioners, academics and the media over the past twelve months. It is anticipated that the new rules will not be in force earlier than 2014. The Working Party is expected to contribute to ongoing discussions on the scope of the Regulation, in particular concerning the exemption for household and personal use.
The Regulation as currently drafted proposes a number of important and significant changes to the existing law which have been outlined below.
Authority Delegated to the Commission
The Commission’s proposal that the reform of the European data protection regime be implemented by way of a Regulation will significantly change the regulatory landscape as we currently know it.
To those uninitiated in EU legislative instruments, a Directive (in simple terms) lays down objectives to be achieved by the laws of Member States, albeit within a set timeframe and the scope laid down by the Directive, and the means of implementing those objectives rests with the national legislatures of Member States. A Regulation, on the other hand, is of direct effect and enforceable once adopted at EU level, so no national implementing legislation is needed. The primary motivation for this sea change is that the Commission is seeking to ensure greater harmonisation in data protection laws across the Member States. There is currently a level of harmonisation as Member States’ national data protection laws share a common genesis in the Data Protection Directive, however, aspects of the Directive have been implemented differently in Member States. This has, inevitably, led to a degree of disparity in data protection regulation as between the various Member States.
So, does this mean that the Regulation will act as a singular reference point for compliance requirements once it is enacted? The answer is yes - and no. It will certainly act as the primary reference point, but reasonably large areas of regulation are, at least in the Regulation as currently proposed, to be delegated and implemented by the Commission. This means that the Commission (as opposed to Member State legislators) will have the authority to supplement or amend those areas of regulation as required, for example, in order to fill gaps or ascribe greater detail to regulatory requirements. The areas in respect of which authority is to be delegated to the Commission under the Regulation include aspects of the right of data subjects to access their data, the right to be forgotten and notification of personal data breaches.
The concept of delegation to the Commission is recognised in EU law. However, it is subject to parameters and the approach of delegating a broad swathe of regulation to the Commission has drawn criticism (some quite pronounced) from a number of quarters, including the Article 29 Working Party and Member States. The criticism is based primarily on a view that the proposed delegation of authority to the Commission is not in conformance generally with the principle of delegation and goes too far. The number of areas where authority is being granted to the Commission, according to its detractors, is excessive (there are 26) and the nature of the authority for certain areas transgresses the bounds of merely supplementing or amending of non-essential elements of the Regulation, rather it strays into the grant of legislative powers to the Commission. Critics of the delegation also point out that the parameters and criteria applicable to the delegated acts are not sufficiently or appropriately defined in the Regulation.
The Article 29 Working Party has issued an opinion which considers the acts that the current draft of the Regulation delegates to the Commission (Opinion 08/2012, adopted on 5 October 2012). Its view is that delegation to the Commission should only arise where the Commission can substantiate that it is necessary, rather than granting authority “just in case” it is needed in the future. The Working Party has backed the Commission in relation to certain delegated acts, however, it does recommend that some acts currently delegated be dealt with in more detailed provisions within the Regulation itself or be addressed by way of guidance from the European Data Protection Board (EDPB). The EDPB is a body to be established by the Regulation which, in effect, is an upgrading of the Article 29 Working Party to a body with statutory footing and authority. It is perhaps not surprising, therefore, that the Working Party feels that some aspects of data protection regulation might be best addressed through EDPB guidance.
Criticism of the Regulation and its delegation of authority is all well and good, but is the criticism being heard? It would seem so. Commission Vice-President and EU Justice Commissioner Viviane Reding recently stated that “although I believe that delegated and implementing acts are one of the ways to achieve legal certainty, I am prepared to look at other ways to ensure an effective application of the rules.” Having re-examined the delegated and implementing acts one-by-one, there are a number which Commissioner Reding “would be happy to replace”. In lieu of those acts, there could be more “detail in the text … codes of conduct and other business-led initiatives or just deleting the act in its entirety.”
It seems likely, therefore, that the scope of delegation that is presently contemplated in the Regulation will be changed (and perhaps cut back) before it is finally enacted. Just how far remains to be seen.
The Regulation proposes the concept of a single lead data protection authority for data controllers and data processors that operate in multiple Member States as a means of centralising their supervision. This, in principle, provides a significant move closer to rectifying the uncertainty that currently exists for many data controllers and data processors as to which is the competent authority responsible for their activities.
The Regulation as drafted, however, still has broad scope for interpretation and this spectrum of interpretation should, we would suggest, be narrowed prior to its final form for implementation. While the concept of a lead authority might give the impression of a streamlined ‘one-stop shop’ for controllers and processors, indications are that this is not quite what the Commission intends (or at least not what will happen in practice). It seems, however, based on comments from European Commission Vice-President Viviane Reding, that the concept of the lead authority will be closer to a formalisation (with enhancements) of existing co-operation between different national and state data protection authorities. An organisation will need to demonstrate that it has taken steps to comply with the Regulation and these steps will have to be documented and available to a supervisory authority for inspection. It will also have auditing and training requirements.
At a conference entitled “21st Century Technology: Stretching the Limits and Notions of our Right to Privacy” held in the Law Society of Ireland on Saturday 8 September 2012, the Deputy Data Protection Commissioner Gary Davis noted that under the proposed Data Protection Regulation ”the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States” and that a number of multinational tech companies have already made it known to the DPC that they view their offices in Ireland as their “main establishment” under the Regulation. He concluded that it had never been intended that an office of 20 people in Portarlington in County Laois would be the focal point for data privacy across Europe, since nearly all of the major multinationals such as Google, Microsoft, Facebook, LinkedIn and Twitter are based in Ireland and will all come under the remit of the DPC under the Regulation.
As mentioned above, however, it is not sufficiently clear at this stage that this “one-stop shop” approach will be implemented in the new Regulation.
Requirements to appoint a data protection officer
All controllers or processors that have more than 250 people in permanent employment will be required to appoint a data protection officer for a minimum initial period of two years. This will also be required of a controller or processor which engages in “regular and systematic monitoring of data subjects”. If the requirement is triggered solely by the number of employees, a group of companies would be advised to share a single officer.
Extension of Establishment Principle
The Regulation extends the scope of the European data protection regime to data controllers, established outside of the EU, in situations where the processing of personal data by those controllers is related to either offering goods or services to EU residents, or to the monitoring of their behaviour.
This change would bring many international businesses who target residents through tracking, mining and targeted advertising (and are currently not deemed to be “established” in an EU member state for the purposes of applying the Data Protection Directive) into scope where previously the law may not have applied to their data processing activities. However, it is not clear how these rules will be enforced outside the EU.
Severe Financial Sanctions
The new regime will have a tiered penalty system with maximum penalties for intentional or negligent breaches of up to €1,000,000 or 2% of the annual worldwide turnover of an “enterprise”. What constitutes an “enterprise” for the purpose of the Regulation remains to be determined. The highest penalties will apply to breaches such as processing personal data without sufficient legal basis, failure to notify a personal data breach in accordance with the Regulation, or failure to designate a data protection officer where required to do so.
Data subjects will also be given a judicial remedy, including damages, against data controllers and data processors who infringe their rights by failing to comply with the Regulation.
There is merit in providing for tough financial sanctions as a means of encouraging protection of individuals with respect to the processing of their data and discouraging breaches of the Regulation by data controllers and data processors. However, the proposed approach in relation to the classification of offences, the level of fines imposed on them and uncertainty surrounding how the quantum of fines will be determined each require further consideration by the European Commission.
The Regulation proposes to make it more difficult for organisations to rely on consent as a means to justify the collection and processing of personal data. The definition of consent in the Regulation requires it to be explicit and data controllers must be able to prove that it has been obtained. However, data subjects are still permitted to give consent by a “clear affirmative action” such as clicking on a tick-box online. Consent may not be relied upon if there is a “significant imbalance in the form of dependence between the position of the data subject and the controller”.
For data controllers operating in Member States that have until now permitted them to work on the basis of implied consent, this will require a major change in practice and could prove challenging in the online environment. It may also prove difficult for data controllers to obtain valid consent in situations where there is an inherent imbalance between the controller and subject, such as between an employer and employee.
In Opinion 08/2012 (the “Opinion”), the Article 29 Data Protection Working Party (the “Working Party”) emphasised that “in order to properly protect the privacy of personal information and future-proof the Regulation, it is necessary to … ensure that where consent is relied on, the consent is of a high standard”. No examples of acceptable methods of consent were given by the Working Party.
The Working Party acknowledged that doubts had been raised as to the feasibility of the word “explicit” in the context of consent in Article 4(8) of the Regulation but stated that it would be highly undesirable to delete the word “explicit” from the draft. The Working Party maintained that the inclusion of the word “explicit” was necessary “to truly enable data subjects to exercise their rights, especially on the Internet where there is now too much improper use of consent”.
It should be noted that a new definition of 'child' is contained in Article 4(18) of the Regulation. A child is defined as anyone under 18 years old, although the substantive rules in the Regulation apply to a child below 13 years of age. Under Article 8(1), the processing of personal data in the context of providing information society services to a child under 13 is lawful only with the consent of the child’s parent or custodian.
Definition of data subject
It was also noted in the Working Party’s Opinion that the definition of a “data subject” in Article 4(1) of the Regulation does not “fundamentally change the notion of personal data” as currently defined in the EU Data Protection Directive 95/46/EC.
The Working Party also noted that under the definition of a data subject in the Regulation, a natural person can be considered identifiable, when, within a group of persons, he or she can be distinguished from other members of the group and consequently be treated differently. However, the notion of singling out in this way is not explicit in the definition as currently drafted. Therefore, the Working Party suggested clarifying the definition of data subject in Recital 23 and Article 4 of the Regulation so that it explicitly covers “any information allowing a natural person to be singled out and treated differently.”
The Working Party also recommended changing Recital 24 to explicitly consider IP addresses and cookies as personal data.
Security Breach Notification
The Regulation proposes a general obligation for notification of personal data breaches (currently notification is only mandatory in the telecommunications sector) on both data controllers and data processors. In the event of a personal data breach, the data controller will be obliged to notify the supervisory authority (in Ireland, this is the Data Protection Commissioner) within 24 hours of becoming aware of the breach. A data processor must inform their data controller of a breach “immediately” after they discover a breach.
The data subject will also have to be informed if the breach is likely to have an adverse affect on them not later than 24 hours after the breach has been established. Communication of the breach to the data subject will not, as a rule, be required if the controller can demonstrate it has implemented appropriate technological protection measures such as encryption, although the supervisory authority may nevertheless require the data controller to do so.
These requirements are similar to those set out in the Code of Practice issued by the Irish Data Protection Commissioner though the Regulation seeks to make notification mandatory for all data controllers and data processors and to impose stricter timelines for notification. Data controllers and processors will now need to have continuous monitoring and reporting systems in place which may prove to be onerous.
It has been noted that there is no “de minimis” provision in the Regulation with regard to breach notification. There are concerns that supervisory authorities will be flooded with breach notifications, including notifications in relation to minor breaches unlikely to cause harm, thereby causing supervisory authorities to suffer “breach notification fatigue”.
Transfer of Data
The existing general restriction on the transfer of data outside of the EEA remains and transfers outside of the EEA will only be permitted where adequate protection is established through, for example, a European Commission decision to the effect that a certain third country ensures an “adequate level of protection”, or the use of Model Clauses or Binding Corporate Rules (“BCRs”). It is proposed to simplify the procedure for establishing BCRs and BCRs will be automatically accepted by all EU Member States once they are authorised by a single supervisory authority.
Right to be Forgotten/Right to Data Portability
The Regulation will introduce increased rights for data subjects. They will have a “right to be forgotten and to erasure” in certain circumstances, enabling them to obtain the erasure of their personal data where they object or withdraw consent to processing (provided that there is no other legitimate grounds for retaining such data). As regards the right to object, the burden will now be on the controller or processor to show that it has a compelling legitimate reason to continue processing.
In practice, this means that a data controller will have to delete personal data completely from their system and, with regard to any information made public via the internet or otherwise, the controller will have to ensure that all other recipients of the information do likewise and erase all hyperlinks to the information. This will impact strongly on online platforms such as social media networks.
There will be a right to data portability which will allow a data subject whose data is processed by electronic means and in a commonly used format to require that data to be transmitted to them on a standard file, or another automated processing system, for further use.
It is interesting to note that the initial stance being adopted by the Commission appears to be one of imposing increased obligations on data controllers and ensuring compliance with such obligations through the threat of significant financial penalties, while bringing the data protection regime in line with the E-Privacy Regulations.
According to the Commission, the harmonisation and simplification of rules, associated administrative requirements and enhanced enforcement provisions to be brought about by the Regulation will provide greater legal certainty for organisations, ultimately saving them millions of Euro annually while at the same time affording greater protection to individuals.
It remains to be seen whether organisations with significant business in Europe will agree with the Commission’s view, but they should nevertheless begin planning a compliance strategy well before the predicted 2014 effective date of the Regulation if they are to adhere to its provisions adequately.